HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts on WordPress Sites

Threat actors are exploiting a critical flaw in the WP Maps Pro WordPress plugin to create unauthorized administrator accounts on vulnerable sites. The vulnerability is unauthenticated and can give attackers full control of the WordPress admin console, posing a supply‑chain risk for any organization using the plugin.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts on WordPress Sites

What Happened — Threat actors are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin to create unauthorized administrator accounts on vulnerable sites. The flaw can be triggered remotely without authentication, granting full control of the WordPress admin console.

Why It Matters for TPRM

  • Compromise of a widely‑used third‑party plugin can cascade to dozens of downstream customers.
  • Unauthorized admin access enables data exfiltration, site defacement, and ransomware deployment.
  • The issue highlights the need for continuous monitoring of third‑party components in web‑based supply chains.

Who Is Affected — Digital agencies, e‑commerce platforms, media publishers, SaaS providers, and any organization running WordPress sites that have installed WP Maps Pro.

Recommended Actions

  • Immediately update WP Maps Pro to the vendor‑released patch (or remove the plugin if no fix is available).
  • Conduct a sweep of all admin accounts for unknown users and enforce strong password policies.
  • Deploy web‑application firewall (WAF) rules to block suspicious requests to the plugin’s endpoints.
  • Incorporate plugin version monitoring into your third‑party risk program.

Technical Notes — The exploit leverages an unauthenticated remote code path that writes a new user with the administrator role. No public CVE identifier has been assigned yet. Compromised sites risk exposure of all site data, including user credentials, payment information, and proprietary content. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →